b"Office of Inspector General\nU.S. Department of Labor\nOffice of Audit\n\n\n\n              CONTROLS OVER THE DISCLOSURE, ACCESS,\n                           AND USE OF\n                 SOCIAL SECURITY NUMBERS IN THE\n          FEDERAL EMPLOYEES COMPENSATION ACT PROGRAM\n\n               EMPLOYMENT STANDARDS ADMINISTRATION\n\n                     FEBRUARY THROUGH AUGUST 2002\n\n\n\n\n                                    Report Number: 03-03-002-04-001\n                                    Date Issued:   December 20, 2002\n\x0c                                               TABLE OF CONTENTS\n\n\n\nACRONYMS.......................................................................................................................... ii\n\n\nEXECUTIVE SUMMARY ................................................................................................... 1\n\n\nBACKGROUND .................................................................................................................... 4\n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY ............................................................ 7\n\n\nAUDIT RESULTS, FINDINGS, AND RECOMMENDATIONS ..................................... 9\n\n     1. The Standard Claim Forms Need to be Revised ...........................................................10\n\n     2. A Cost-Effective Plan for Onsite Monitoring of Contractors and Other Entities\n        Needs to be Implemented ............................................................................................12\n\n     3. Controls over the Release of Records to\n        Noncontractor Physicians Need to be Improved ........................................................14\n\n\nAGENCY\xe2\x80\x99S RESPONSE TO DRAFT REPORT ...............................................................16\n\n\n\n\nU.S. DOL/OIG Audit Report 03-03-002-04-001                                                                                          i\n\x0c                                    ACRONYMS\n\n\n\n         CIO          Chief Information Officer\n\n         DFEC         Division of Federal Employees Compensation\n\n         DLMS         Department of Labor Manual Series\n\n         DOL          U.S. Department of Labor\n\n         ESA          Employment Standards Administration\n\n         FECA         Federal Employees\xe2\x80\x99 Compensation Act\n\n         FOIA         Freedom of Information Act\n\n         FY           Fiscal Year\n\n         GAO          General Accounting Office\n\n         IME          Independent Medical Examination\n\n         OIG          Office of Inspector General\n\n         OWCP         Office of Workers\xe2\x80\x99 Compensation Program\n\n         PCIE         President\xe2\x80\x99s Council on Integrity and Efficiency\n\n         SSA          Social Security Administration\n\n         SSN          Social Security Number\n\n         USC          United States Code\n\n\n\n\nU.S. DOL/OIG Audit Report 03-03-002-04-001                              ii\n\x0c                                 EXECUTIVE SUMMARY\n\n\n\nThe Social Security Number (SSN) was created in 1936 as a means of tracking workers\xe2\x80\x99\nearnings and eligibility for social security benefits. Over the years, the SSN has become a\nde facto national identifier used by Federal agencies, state and local governments, and private\norganizations. In recent years there have been concerns related to perceived widespread\nsharing of personal information and occurrences of identity theft. Therefore, the chairman of\nthe House Ways and Means Subcommittee on Social Security requested the Social Security\nAdministration\xe2\x80\x99s (SSA) Office of Inspector General (OIG) and the President\xe2\x80\x99s Council on\nIntegrity and Efficiency (PCIE) to determine, across government, the methods Federal\nagencies use to disseminate and control the SSN. The PCIE, through the SSA/OIG,\nrequested the OIG PCIE members to perform an audit of controls over the disclosure, access,\nand use of SSNs in one of their department or agency programs.\n\nUsing instructions provided by the SSA/OIG and the PCIE, we assessed the relative risks of\nimproper disclosure, access, and use of SSNs for the five programs identified by DOL as\ncollecting the largest number of SSNs. Based on our assessment, we selected the U.S.\nDepartment of Labor\xe2\x80\x99s (DOL) Federal Employees\xe2\x80\x99 Compensation Act (FECA) program for\nour audit. The Employment Standards Administration\xe2\x80\x99s (ESA) Office of Workers'\nCompensation Programs (OWCP) administers FECA. OWCP\xe2\x80\x99s Division of Federal\nEmployees' Compensation (DFEC) is responsible for managing FECA programs.\n\nThe overall audit objective was to assess DFEC\xe2\x80\x99s management controls over the disclosure,\naccess, and use of SSN information by third parties. Our specific audit objectives were to\ndetermine if DFEC: (1) has adequate controls to ensure legal and informed disclosures to\nthird parties; (2) has adequate controls over contractors, and other entities, who have access\nand use of SSNs; and (3) has adequate controls over access to SSNs maintained in its\ndatabases.\n\nTo perform our audit, we followed the procedures in an audit guide provided by the\nSSA/OIG. To accomplish the audit we interviewed DFEC officials, reviewed policies and\nprocedures relevant to the audit objectives, visited the FECA central mail facility, and\nconsidered the results of an OIG audit on general controls and security over selected financial\nmanagement systems, which included the Federal Employees\xe2\x80\x99 Compensation System. The\nSSA/OIG audit guide did not require, nor did our audit include, testing the effectiveness of\nDFEC controls over the disclosure, access, and use of SSNs. We conducted our fieldwork\nfrom February to August 2002.\n\nOverall, our audit determined that management controls within the FECA program, if\nfollowed, provide reasonable assurance that legal and informed disclosure is taking place,\nand adequate controls exist over the access and use of SSNs by contractors and other entities.\nOur examination of third parties\xe2\x80\x99 contracts disclosed that appropriate security procedures\nexist for safeguarding SSNs, and the contracts do include the Privacy Act notification. We\n\n\n\nU.S. DOL/OIG Audit Report 03-03-002-04-001                                                       1\n\x0calso determined that adequate controls exist over the access and use of SSNs in DFEC\xe2\x80\x99s\nautomated databases.\n\nHowever, we noted several opportunities for OWCP to improve existing DFEC controls over\nSSNs for FECA. Specifically, we found:\n\n   1. Standard forms used for claims do not directly associate the claimant\xe2\x80\x99s signature with\n      his or her acknowledgement of the Privacy Act Disclosure Statement. The multiple-\n      page form requires the claimant\xe2\x80\x99s signature on the first page; however, the Privacy\n      Act Disclosure Statement does not appear until the last page. Since the other pages\n      are completed by individuals other than the claimant, questions could be raised about\n      whether the claimant was aware that disclosures of information on the form to third\n      parties could occur.\n\n   2. Limited onsite monitoring is done of contractors and other entities that have access to\n      claimant files containing SSNs. Instead of onsite monitoring, DFEC relies on the\n      training it provides to the contractors as part of the certification process. However,\n      without sufficient onsite monitoring, DFEC cannot ensure that contractors and others\n      are complying with security and disclosure requirements.\n\n   3. DFEC is not consistently providing physicians, who do not have contracts or\n      agreements with DOL, adequate notification of their responsibilities to comply with\n      Privacy Act requirements when they are provided FECA claimant case files.\n      Additionally, we were told about instances in which claimant files provided to\n      physicians conducting independent medical examinations (referred to as Independent\n      Medical Examination (IME) physicians) have either been lost or returned with\n      missing documents.\n\nTo improve controls over DFEC\xe2\x80\x99s use and security of SSNs, we recommend that the\nAssistant Secretary for Employment Standards require OWCP to:\n\n   1. Revise the standard claimant forms to ensure that the claimant is aware of the Privacy\n      Act Disclosure Statement.\n\n   2. Develop and implement a cost-effective, onsite monitoring program that will provide\n      reasonable assurance that contractors and other entities are complying with the\n      requirements for safeguarding the access and use of FECA claimants\xe2\x80\x99 SSNs.\n\n   3. Provide second opinion and IME physicians a cover letter when providing them\n      claimant files or documentation, explaining in detail the physicians\xe2\x80\x99 responsibility to\n      comply with Privacy Act requirements.\n\n   4. Explore the extent and cause of losses of claimant files or documents by IME\n      physicians and take any necessary corrective action.\n\n\n\n\nU.S. DOL/OIG Audit Report 03-03-002-04-001                                                      2\n\x0cOur conclusions and recommendations are valid only with regard to the management controls\nover FECA as they existed during the period of the audit, February to August 2002.\nProjection of the adequacy of FECA management controls to future periods is subject to the\nrisk that those controls may become inadequate because of changes in conditions, or that the\neffectiveness of the design and operation of policies and procedures may deteriorate.\n\nIn response to the draft report, the Assistant Secretary for Employment Standards generally\nagreed with the findings and recommendations. The recommendations can be resolved when\nESA provides the planned dates for achieving the corrective action. The entire response is\nincluded at the end of this report\n\n\n\n\nU.S. DOL/OIG Audit Report 03-03-002-04-001                                                3\n\x0c                                      BACKGROUND\n\n\n\nSSA created the SSN in 1936 as a means of tracking workers\xe2\x80\x99 earnings and eligibility for\nsocial security benefits. Over the years, the SSN has become a de facto national identifier\nused by Federal agencies, state and local governments, and private organizations.\nGovernment agencies frequently ask individuals for their SSNs to comply with applicable\nlaws and regulations or to efficiently track and exchange information. A number of laws and\nregulations impose limitations on how agencies may use SSNs.\n\nDue to concerns related to the perceived widespread sharing of personal information and\noccurrences of identity theft, the chairman of the House Ways and Means Subcommittee on\nSocial Security requested the SSA/OIG and the PCIE to determine, across government, the\nmethods that Federal agencies use to disseminate and control the SSN. The PCIE, through\nthe SSA/OIG, requested OIG members of the PCIE, including DOL, to participate in an audit\nof the controls over the disclosure, use, and access of SSNs. The results of the work\nperformed by all the OIGs that participated in this PCIE initiative will be consolidated in a\nreport to be issued by the SSA/OIG.\n\nThe Federal Employees' Compensation Act Program\n\nDOL, through ESA, is charged with administering the FECA program. The Federal\nEmployees\xe2\x80\x99 Compensation Act, 5 U.S.C. \xc2\xa7 8101-8193 (FECA), provides compensation and\nmedical benefits to Federal civilian employees and their dependents for job-related injuries,\ndiseases, or deaths. Within ESA, OWCP\xe2\x80\x99s DFEC has the responsibility for establishing\npolicies and procedures for the administration and operation of the FECA program. DFEC\nhas 12 district offices throughout the country to service FECA claimants.\n\nFECA provides workers' compensation coverage to three million Federal and Postal workers\naround the world for employment-related injuries and occupational diseases. During Fiscal\nYear (FY) 2000, over 176,000 new cases were opened, and the program provided nearly\n273,000 workers more than $2 billion in benefits for work-related injuries and illnesses.\nAccording to DFEC, there were about 360,000 Federal employees\xe2\x80\x99 SSNs in its computer\nsystem at the end of calendar year 2001.\n\nTo claim benefits under FECA, an employee who sustains a work-related traumatic injury or\nan occupational disease must give notice in writing on Form CA-1 or Form CA-2,\nrespectively. The employee or another person must forward this notice to the employer.\nAccording to FECA procedures, it is mandatory that an injured employee provide his or her\nSSN in order to receive program services.\n\n\n\n\nU.S. DOL/OIG Audit Report 03-03-002-04-001                                                      4\n\x0cDFEC assigns the case a primary identification number that is unique to the district office.\nDFEC uses the claimant\xe2\x80\x99s social security number as a secondary identifier. However,\nvarious entities outside of DFEC (e.g., other Federal agencies, medical providers, claimants,\nclaimant representatives, etc.) make requests for claimant information using the claimant\xe2\x80\x99s\nname and SSN. The requests are made using the claimant\xe2\x80\x99s SSN because it is a unique\nidentifier commonly used by private organizations and Federal, state, and local governments\nas a method for filing records.\n\nSix types of OWCP contractors used for the FECA program are authorized to have access to\nclaimants\xe2\x80\x99 SSNs. The type of contractors and services they provide are:\n\n    1. Nurses. These contractors assist claimants in person or by telephone in managing the\n       claimant\xe2\x80\x99s health issues.\n\n    2. Data Entry. These contractors provide DFEC district offices with data entry\n       technicians responsible for keying claimant data into various forms and files.\n\n    3. Systems Management. These contractors are responsible for managing and\n       maintaining the automated data processing system used for the FECA program.\n\n    4. Central and Local Mail. One contractor operates the DFEC central mailroom and\n       another contractor supplies staff to supplement the Federal staff at the DFEC district\n       office mailrooms. The central mailroom contractor is also responsible for imaging\n       claimant documents into an electronic file.\n\n    5. Rehabilitation. OWCP has contracts with numerous vocational rehabilitation\n       counselors to transition injured employees from non-working to working status.\n\n    6. Physician Brokers. These contract physician brokers obtain physicians who provide\n       second opinions to independently determine a claimant\xe2\x80\x99s physical or mental status\n       relating to the reported injury/illness. These second opinion physicians are not under\n       contract with OWCP.\n\nThe Privacy Act and the Freedom of Information Act (FOIA) establish the framework for\nrestricting SSN disclosure. 1\n\nThe Privacy Act. The Privacy Act regulates the collection, maintenance, use, and\ndissemination of personal information by Federal executive branch agencies. In particular,\nthe Privacy Act requires that Federal agencies maintaining systems of records containing\ninformation of a personal nature and retrieving data by name, or other personal identifying\ndesignation (e.g., SSN), establish rules of conduct for employees involved in the design,\ndevelopment, maintenance, or operation of any such system.\n\n\n\n\n1\n    Privacy Act (5 U.S.C. \xc2\xa7 552a) and Freedom of Information Act (5 U.S.C. \xc2\xa7 552).\n\n\nU.S. DOL/OIG Audit Report 03-03-002-04-001                                                      5\n\x0cDOL\xe2\x80\x99s Department of Labor Manual Series (DLMS) 5, Chapter 200, prescribes the rules of\nconduct and responsibilities for DOL employees in the handling of personal information\ncontained in systems of records covered under the Privacy Act of 1974 that are in the custody\nof the DOL, excluding Civil Service Commission personnel records.\n\nFOIA. The FOIA generally provides that any person has a right to obtain access to Federal\nagency records, except for those records that are protected from disclosure by nine stated\nexemptions. Under exemption 6 of the FOIA, the government is permitted to withhold\ninformation about individuals in \xe2\x80\x9cpersonnel and medical files and similar files the disclosure\nof which would constitute a clearly unwarranted invasion of personal privacy.\xe2\x80\x9d\n\nDLMS 5, Chapter 300, interprets the requirements of the FOIA, establishes uniform\nprocedures, and assigns responsibilities for responding to requests for records.\n\n\n\n\nU.S. DOL/OIG Audit Report 03-03-002-04-001                                                       6\n\x0c                       OBJECTIVES, SCOPE, AND METHODOLOGY\n\n\n\nOBJECTIVES\n\nThe overall audit objective was to assess the extent of DFEC\xe2\x80\x99s management controls over the\ndisclosure, use, and access of SSN information by third parties. Our specific audit objectives\nwere to determine if DFEC: (1) has adequate controls to ensure legal and informed\ndisclosures to third parties; (2) has adequate controls over contractors, and other entities, who\nhave access and use of SSNs; and (3) has adequate controls over access to SSNs maintained\nin its databases.\n\nSCOPE AND METHODOLOGY\n\nWe selected the FECA program for the audit based on the results of our review of the\nresponses to a questionnaire sent by the General Accounting Office (GAO) to DOL\xe2\x80\x99s Chief\nInformation Officer (CIO). GAO requested information on the five largest DOL agencies\nthat routinely collect, maintain, and use SSNs. 2 We reviewed the responses to the GAO\nquestionnaire to determine which of the five programs appeared to have the highest risk of\nimproper disclosure, access, and use of SSNs. The five DOL programs, all administered by\nESA, were: FECA, Black Lung, Longshore, Energy Employees Occupational Illness\nCompensation and Wage and Hour. The results of our work found no obvious reported\nweaknesses concerning the security of SSNs for any of the five DOL programs that would\ncause us to select one program over the other for audit. Therefore, we selected FECA for our\naudit primarily because it was the largest of the five DOL programs that collected and used\nSSNs.\n\nThe scope of our audit included assessing the procedures DFEC had in place during our\nfieldwork that were relevant to the disclosure, access, and use of SSN information. We\nconducted our fieldwork from February to August 2002 at the DOL National Office in\nWashington, DC.\n\nTo perform our audit, we followed the procedures in an audit guide provided by the\nSSA/OIG for this PCIE initiative. The PCIE SSA/OIG audit guide procedures directed us to\nconfirm the information provided in the CIO\xe2\x80\x99s responses to the GAO questionnaires that\nwere relevant to the audit. Following the procedures provided in the PCIE SSA/OIG audit\nguide, we:\n\n        1. interviewed DFEC officials responsible for answering sections of the GAO\n           questionnaire relevant to our audit;\n\n\n2\n  The questionnaire was part of a study GAO conducted on how and to what extent Federal, state, and local\ngovernment agencies use SSNs, and how these entities safeguard records or documents containing those SSNs.\nGAO sent the questionnaires to 14 cabinet-level departments and four agencies.\n\n\nU.S. DOL/OIG Audit Report 03-03-002-04-001                                                                   7\n\x0c        2. verified and updated relevant information provided on the GAO questionnaire;\n\n        3. obtained supporting documentation; and\n\n        4. followed up on any vulnerabilities reported in the GAO questionnaire by DFEC\n           officials.\n\nTo determine if DFEC had adequate controls over access to SSNs maintained in its\ndatabases, we also reviewed and relied on an OIG audit report3 on general controls and\nsecurity over selected financial management systems, which included the FECA system.\n\nThe PCIE SSA/OIG audit guide did not require, nor did our audit include, testing the\neffectiveness of DFEC controls over the disclosure, access, and use of SSNs.\n\nWe also performed work beyond what the PCIE SSA/OIG audit guide required. Specifically,\nwe:\n\n        1. Contacted one of the DFEC district offices to obtain documentation and a detailed\n           explanation of the process of disclosing SSNs to physicians responsible for\n           conducting second opinions and independent medical examinations.\n\n        2. Visited the DFEC central mail facility that is located in a commercial building in\n           London, Kentucky, and operated by a contractor. Of all OWCP contractors, this\n           one had the most access to SSNs. We obtained a verbal description of the process\n           used to collect and destroy documents that contained SSNs, and we physically\n           observed the controls in place to secure the documents.\n\nWe performed our audit in accordance with Government Auditing Standards issued by the\nComptroller General of the United States.\n\n\n\n\n3\n \xe2\x80\x9cU.S. Department of Labor Audit of General Controls and Security for Selected Financial Systems as of\nSeptember 30, 2001, OIG Audit Report Number 23-02-002-50-598, issued March 19, 2002\n\n\n\n\nU.S. DOL/OIG Audit Report 03-03-002-04-001                                                               8\n\x0c            AUDIT RESULTS, FINDINGS, AND RECOMMENDATIONS\n\n\nOverall, our audit determined that management controls over the disclosure, access, and use\nof SSNs within the FECA program are generally adequate, but improvements can be made.\nFollowing are the results of our audit.\n\n   1. Management controls exist to ensure that claimants are informed that their SSNs may\n      be provided to other organizations and that disclosures of SSNs to third parties are\n      legal under the Privacy Act. However, we concluded this process could be improved\n      by revising the standard claimant form to ensure that the FECA claimant has read the\n      Privacy Act Disclosure Statement explaining the use and disclosure of the claimant\xe2\x80\x99s\n      SSN prior to signing the form. (See Finding Number 1.)\n\n   2. DFEC uses six types of contractors that have access to claimant data including SSNs.\n      We determined that the standard contracts and/or memoranda of understanding used\n      for these contractors contain adequate language pertaining to the Privacy Act and the\n      contractor\xe2\x80\x99s responsibility to safeguard the data. However, DFEC monitoring of\n      contractor and other entities\xe2\x80\x99 disclosure, access, and use of FECA data is limited to\n      entities under DFEC\xe2\x80\x99s direct supervision (e.g., data entry, system management) and\n      large single dwelling contracts (e.g., central mail facility). (See Finding Number 2.)\n\n   3. FECA claimant records containing SSNs are provided to physicians who do not have\n      contracts with OWCP. Our review of the process used to provide FECA claimant\n      records to these physicians found that the physicians are not consistently given an\n      adequate explanation of the Privacy Act requirements. Also, we were told there have\n      been incidents where physicians have lost claimant records. (See Finding Number 3.)\n\n   4. There are adequate controls over access to DFEC\xe2\x80\x99s automated management\n      information system. We found that access is limited to DFEC employees, other\n      Federal agencies, nurses, and record imaging and data entry contractors. There are\n      written agreements with these parties covering the security and use of SSNs.\n      Additionally, we reviewed the report of the most recent OIG audit on the\n      management information system general controls and security, which included\n      DFEC. The report contained one access control finding related to periodic reviews of\n      users\xe2\x80\x99 accounts not being conducted on a regular basis, and inactive and revoked user\n      IDs not being removed from the user directory. OWCP was in the process of\n      implementing corrective action.\n\nOur conclusions and recommendations are valid only with regard to the controls that existed\nduring our audit period of February through August 2002. Projection of the adequacy of the\nDFEC management controls to future periods is subject to the risk that the controls may\nbecome inadequate because of changes in conditions or deterioration of their effectiveness.\n\nFollowing are the details of our findings and recommendations.\n\n\n\nU.S. DOL/OIG Audit Report 03-03-002-04-001                                                    9\n\x0c    Finding Number 1.\n    The Standard Claim Forms Need to be Revised.\n\nDFEC needs to revise the standard claim forms so that the claimant\xe2\x80\x99s signature is more\ndirectly associated with his or her acknowledgement of the Privacy Act Disclosure\nStatement. The standard claim forms do not focus FECA claimants toward reading the\nPrivacy Act Disclosure Statement, which explains the use and disclosure of their SSNs. This\ncondition exists because the claimant\xe2\x80\x99s signature and the Privacy Act Disclosure Statement\nare found on different pages of the standard claim form, and individuals other than the\nclaimant complete the pages preceding the Privacy Act Disclosure Statement. Having the\nsignature directly associated with the Privacy Act Disclosure Statement will provide better\nassurance that the claimant, and any other individual respons ible for completing the form, is\naware that their SSN may be provided to other organizations, and that disclosures of SSNs to\nthird parties are legal under the Privacy Act.\n\nThree types of claims forms are used for Federal workers seeking FECA medical and/or\ncompensation from a work-related injury or illness. The form numbers and titles are:\n\n          CA-1. Federal Notice of Traumatic injury and Claim for Continuation of\n                Pay/Compensation\n\n          CA-2. Notice of Occupational Disease and Claim for Compensation\n\n          CA-5. Claim for Compensation by Widow, Widower, and/or Children\n\nThese forms each consist of three or four pages, with the Privacy Act Disclosure Statement\nappearing on the last page of the document. Federal regulations 4 require that the person\nsubmitting a claim or notice must include the SSN of the injured employee.\n\nOur review of the above forms concluded that while they comply with the Privacy Act\nrequirements, the lay out of the forms does not focus the claimant\xe2\x80\x99s attention beyond his/her\nsignature on the first page.\n\nRECOMMENDATION\n\nWe recommend that the Assistant Secretary for Employment Standards require OWCP to\nrevise the standard claimant forms to focus the claimant\xe2\x80\x99s attention on the Privacy Act\nDisclosure Statement. This can be accomplished by inserting a line above the first data\nentries, requiring the claimant (and other respondents) to read the page containing the\nPrivacy Act Disclosure Statement before completing any of the subsequent information.\n\n\n\n\n4\n    20 C.F.R \xc2\xa7 10.100(a)\n\n\nU.S. DOL/OIG Audit Report 03-03-002-04-001                                                   10\n\x0cAuditee\xe2\x80\x99s Response\n\nIn the response to our draft report, the Assistant Secretary for Employment Standards agreed\nto revise the standard claimant forms; however, ESA cannot ensure that the claimant is aware\nof the Privacy Act. Therefore, the Assistant Secretary for Employment Standards requested\nthat we change the wording in the recommendation from \xe2\x80\x9crevise the standard claimant forms\nto ensure that the claimant is aware of the Privacy Act Disclosure Statement\xe2\x80\x9d to \xe2\x80\x9crevise the\nstandard claimant forms to focus the claimant\xe2\x80\x99s attention on the Privacy Act Disclosure\nStatement.\xe2\x80\x9d\n\nAuditor\xe2\x80\x99s Conclusion\n\nWe agreed with Assistant Secretary\xe2\x80\x99s response and changed the wording in the\nrecommendation. The recommendation can be resolved when ESA provides the planned\ndates for achieving the corrective action.\n\n\n\n\nU.S. DOL/OIG Audit Report 03-03-002-04-001                                               11\n\x0c Finding Number 2.\n A Cost-Effective Plan for Onsite Monitoring of Contractors and Other Entities Needs\n to be Implemented.\n\nDFEC monitoring of contractors\xe2\x80\x99 and other entities\xe2\x80\x99 use and storage of FECA data is limited\nto entities under DFEC\xe2\x80\x99s direct supervision (e.g., data entry, system management) and large\nsingle dwelling contract operations (e.g., central mail facility). We found that DFEC does\nnot conduct any onsite monitoring of its remote site contractors (e.g., nurses, rehabilitation\ncounselors, and physician brokers) or other entities (e.g., second opinion and independent\nmedical exam physicians). DFEC officials told us that, instead of onsite monitoring, they\nrely on the training they provide to the contractors. However, without adequate onsite\nmonitoring, DFEC cannot ensure that contractors and other entities are complying with\nsecurity and disclosure requirements.\n\nDLMS 5, Chapter 200, Section 224a, provides the minimum standards for safeguarding\npersonal information from unauthorized or unintentional access, disclosure, modification, or\ndestruction. The DLMS requires personal information be stored in a bar- lock cabinet, safe\nfile, or a room secured by a double-action dead bolt lock. To the extent possible, access to\nareas where personal records are stored will be limited to those persons whose official duties\nrequire them to work in such areas. Control of personal records will be maintained at all\ntimes and will include an accounting of their removal from the storage area. This minimum\nstandard is prescribed for non-duty hours as well as for duty hours.\n\nDFEC provides SSN information on FECA claimants to its remote site contractors (e.g.,\nnurses, rehabilitation counselors, and physician brokers) and other entities (e.g., second\nopinion and independent medical exam physicians) that do not have contracts with OWCP.\nDFEC does not physically monitor all these contractors and other entities. DFEC officials\nexplained that they do provide training to the contractors as part of their certification process,\nand the training includes securing and protecting claimant information.\n\nIt is our opinion that the training provided to the contractors is not sufficient to ensure that\nSSNs are properly safeguarded and secured from unauthorized disclosure.\n\nRECOMMENDATION\n\nWe recommend that the Assistant Secretary for Employment Standards require OWCP to\ndevelop a cost-effective, onsite monitoring program that will provide reasonable assurance\nthat contractors and other entities are complying with the requirements for safeguarding the\naccess and use of FECA claimants\xe2\x80\x99 SSNs.\n\n\n\n\nU.S. DOL/OIG Audit Report 03-03-002-04-001                                                         12\n\x0cAuditee\xe2\x80\x99s Response\n\nIn the response to our draft report, the Assistant Secretary for Employment Standards agreed\nwith the recommendation but requested that we specify that the onsite monitoring plan be\ncost effective.\n\nAuditor\xe2\x80\x99s Conclusion\n\nWe agreed with Assistant Secretary\xe2\x80\x99s response and changed the wording in the\nrecommendation. The recommendation can be resolved when ESA provides the planned\ndates for achieving the corrective action.\n\n\n\n\nU.S. DOL/OIG Audit Report 03-03-002-04-001                                                13\n\x0c Finding Number 3.\n Controls Over the Release of Records to Noncontractor Physicians Need to be\n Improved.\n\nFECA claimant records containing SSNs are provided to physicians who do not have\ncontracts with DOL. Our review of the process used to provide FECA claimant records to\nthese physicians found: (1) DFEC does not consistently provide these physicians with an\nadequate explanation of Privacy Act requirements; and (2) there have reportedly been\nincidents in which physicians have lost FECA claimant records or documents.\n\nAccording to 5 U.S.C. \xc2\xa7 552a section 2, one purpose of the Privacy Act is to provide certain\nsafeguards for an individual against an invasion of personal privacy by requiring Federal\nagencies, except as otherwise provided by law, to:\n\n      Collect, maintain, use, or disseminate any record of identifiable personal\n      information in a manner that assures that such action is for a necessary and\n      lawful purpose, that the information is current and accurate for its intended use,\n      and that adequate safeguards are provided to prevent misuse of such\n      information. [Emphasis added.]\n\nDFEC provides claimant records to two types of physicians who are not under contract with\nDOL. The first type is physicians who provide second opinions on a claimant\xe2\x80\x99s physical or\nmental status related to the reported injury or illness. These are referred to as second opinion\nphysicians and they are obtained by contracted physician brokers. The second type is\nphysicians who perform independent medical examinations because of disputes arising from\ndiagnosis of the reported injury or illness. These are referred to as IME physicians and they\nare obtained through a physician national directory.\n\nPrivacy Act Notification\n\nOur audit of the process used to provide claimant records to these phys icians found that\nDFEC does not consistently notify the physicians of their responsibilities under the Privacy\nAct to safeguard the privacy information, such as the SSN. Although DFEC officials believe\ncontracted physician brokers are disclosing claimant records to second opinion physicians in\naccordance with requirements of the Privacy Act, they could not provide us first- hand\nknowledge of how the disclosure was being done. Additionally, we found that the cover\nletter used to disseminate claimant records to IME physicians does not provide an adequate\nexplanation of the Privacy Act requirements.\n\nClaimant Records\n\nWe identified a potential problem with the accountability of claimant records provided to\nIME physicians. When an independent medical examination is needed, it is necessary for the\napplicable DFEC district office to provide the IME physician the entire claimant case file.\nThe file is needed by IME physicians to assist them in reaching a conclusion on the issue of\n\n\nU.S. DOL/OIG Audit Report 03-03-002-04-001                                                    14\n\x0cthe cause and extent of the claimant\xe2\x80\x99s impairment. However, we were told by a DFEC\ndistrict office official that there have been incidents in which IME physicians have lost\nclaimant case files or case files were returned with missing documents.\n\nRECOMMENDATIONS\n\nWe recommend that the Assistant Secretary for Employment Standards require OWCP to:\n\n   1. Provide second opinion and IME physicians a cover letter when providing them\n      claimant files or documentation, encouraging them to comply with the principles of\n      the Privacy Act.\n\n   2. Explore the extent and cause of losses of claimant files or documents by IME\n      physicians and take any necessary corrective action.\n\nAuditee\xe2\x80\x99s Response\n\nIn the response to our draft report, the Assistant Secretary for Employment Standards agreed\nwith the recommendations. Concerning the incidents of lost claimant files or documents by\nIME physicians, the Assistant Secretary stated that DFEC has implemented case file imaging,\nwhich will eliminate the problem. However, the extent and cause of any lost claimant files\nby IME physicians will be explored, and any necessary corrective action taken.\n\nAuditor\xe2\x80\x99s Conclusion\n\nWe agreed with Assistant Secretary\xe2\x80\x99s response. The recommendations can be resolved when\nESA provides the planned dates for achieving the corrective action.\n\n\n\n\nU.S. DOL/OIG Audit Report 03-03-002-04-001                                                  15\n\x0c                  AGENCY\xe2\x80\x99S RESPONSE TO DRAFT REPORT\n\n\n\n\nU.S. DOL/OIG Audit Report 03-03-002-04-001            16\n\x0c\x0c\x0c"